Selecting polynomials for the 
Function Field Sieve 



U 



o 



X 



Razvan Barbulescu 
Universite de Lorraine, CNRS, INRIA, France 
razvan . barbulescuQinria . f r 



' Abstract 

<N . 

The Function Field Sieve algorithm is dedicated to computing discrete logarithms in a 
. finite field F^n, where g is a small prime power. The scope of this article is to select good 

polynomials for this algorithm by defining and measuring the size property and the so-called 
root and cancellation properties. In particular we present an algorithm for rapidly testing a 
QQ ■ large set of polynomials. Our study also explains the behaviour of inseparable polynomials, in 

particular we give an easy way to see that the algorithm encompass the Coppersmith algorithm 
as a particular case. 



1 Introduction 



The Function Field Sieve (FFS) algorithm is dedicated to computing discrete logarithms in a finite 
field ¥qn , where q is a small prime power, fntroduced by Adleman in ^Adl9 4j and inspired by 
^ I the Number Field Sieve (NFS), the algorithm collects pairs of polynomials (a, b) E ¥q[t] such that 

00 ' the norms oi a — bx in two function fields are both smooth (the sieving stage), i.e having only 

0^ I irreducible divisors of small degree. It then solves a sparse linear system (the linear algebra stage) , 

whose solutions, called virtual logarithms, allow to compute the discrete algorithm of any element 
during a final stage (individual logarithm stage). 
. The choice of the defining polynomials / and g for the two function fields can be seen as a 

preliminary stage of the algorithm. It takes a small amount of time but it can greatly influence the 
sieving stage by slightly changing the probabilities of smoothness. In order to solve the discrete 
logarithm in F^n, the main required property of f,g E ¥q[t\[x] is that their resultant Res^; (/,<;) 
has an irreducible factor ip{t) of degree n. Various methods have been proposed to build such 
polynomials. 

?-H ■ The base-m method of polynomial selection, proposed by Adleman |Adl94| , consists in choosing 

ip{t) an irreducible polynomial of degree n, setting g = x — m, where m is a power of t, and / equal 
to the base-m expansion of (p. He obtained a subexponential complexity of L^n (i, c)^^"*-^' with 
c = ^64/9. Adleman and Huang |AH99| chose to be a sparse polynomial and obtained a constant 



c 



= \/32/9. They also noted that the previously known algorithm of Coppersmith |Cop84 can be 



seen as a particular case of the FFS. Finally, Joux and Lercier |JL02) introduced a method which, 
without improving the complexity, behaves better in practice. It consists in selecting a polynomial 
/ with small degree coefficients and then of randomly testing linear polynomials g — gix + go 
until IieSx{f,g) has an irreducible factor of degree n. In |JL06| Joux and Lercier proposed two 
additional variants of their methods. In the first one that can be called Two rational sides, we add 
the condition that / has degree 1 in t. Its main advantage is that its description does not require 
the theory of function fields. The second variant, called the Galois improvement, applies to the 
case where n is composite. 

In this paper we improve the method of Joux and Lercier |JL02) by showing how to select the 
non-linear polynomial /. For that we follow the strategy that was developed in the factorization 
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context. In particular Murphy |Mur99| introduced and used criteria which allow to rapidly rank 
any set of polynomials. See [Baillj . for recent developments in this direction. 

Therefore, we introduce relevant functions for the sieving efficiency of a polynomial, taking 
into account a size property, a so-called root property that reflects the behaviour modulo small 
irreducible polynomials, and a cancellation property, which is analogous to the real roots property 
for the NFS. We also present efficient algorithms for quantifying these properties. A special attention 
is given to the particular case where / is not separable. Indeed, this is a phenomenon that has no 
analogue in the factorization world and that has strong repercussions on the sieving efficiency. 

Recent works on composite extensions In the past few weeks, the algorithm in |JL06) was 
the object of further improvements in [ joul2| . |GGMZ13] and |Joul3| . all of them being very well 
adapted to the case of composite extensions. The most important of them is Joux's new algorithm 
which is especially suited to the fields F^2fc with q close to k and whose complexity is L{l/A + o{\)). 
Moreover, under some overhead hidden by the o(l), Joux's algorithm can be adapted to the case 
F^fc when q and k are both prime. 

In this context, the FFS keeps its interest for both theoretical and practical reasons. On the 
one hand, the FFS applies to a wider set of finite fields as the i(l/4 + o(l)) complexity was only 
obtained for constant characteristic. On the other hand, except for the composite case, the crossing 
point between the FFS and Joux's algorithm |Joul3| is still to be determined. 

Outline The article is organized as follows. Section [2] lists the properties which improve the sieve 
yield. Section[3]combines the previously defined functions in order to compare arbitrary polynomials 
and shows how to rapidly test a large number of candidate polynomials. Section |4] focuses on the 
case of inseparable polynomials and, in particular, the Coppersmith algorithm. Section [5] applies 
the theoretic results to a series of examples. Finally, section [6] makes the synthesis. 

2 Quantification functions 
2.1 Size property 

We start by deciding the degrees in t and x of the two polynomials / and g. The FFS has always 
been implemented for polynomials / of small coefficients in t and for polynomials g of degree I in 
a;, like in jJL02| . It might be not obvious that this is the best choice. For instance in the case of 
the NFS both for factorization [M on06| IPZllj and discrete logarithm [JL03], pairs of non-linear 
polynomials were used. In the following, we argue that the classical choice is indeed the best one. 
Let us first recall the nature of the objects we have to test for smoothness. The FFS collects coprime 

pairs {a{t),b{t)) e ^q[t] such that the norms of a — bx in the function fields of / and g are both 
smooth. These norms are polynomials in i of a simple form: denoting F{X,Y) = /( y)^'^"^'" 
the homogenization of f{x), the norm of a — 6a; is just F{a,b). Similarly, we denote G{X,Y) the 
homogenization of g{x) and the second norm is G{a, b). As a consequence, the polynomial selection 
stage can be restated as the search for polynomials / and g such that F{a, b) and G{a, b) are likely 
to be both smooth for coprime pairs (a, 6) in a given range. 

As a first approximation, we translate this condition into the fact that the degree of the product 
F{a, b)G{a, b) is as small as possible. It will be refined all along this paper. 

Fact 2.1. Assume that we have to compute discrete logarithms in F^n, with polynomials f,g € 
¥q[t][x], such that deg^ g < deg^f. If for bounded a and b, the polynomials f and g minimize 
maxjdeg F(a, 6)G'(a, 6)}, then we have deg^,*? = 1. 

Argument. Let (a, b) be any pair of maximal degree e, and assume that there is no cancellation of 
the monomials in F{a, b) and G(a, b) respectively. Then one has 

deg (F(a, h)G{a, b)) = deg^ g + e deg^ g + deg^ / + e deg^ /. (1) 
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The degree of the resultant of / and g can be bounded by deg Res(/, g) < deg^ / deg^ g+deg^ g degj /. 
Since we need this resultant to be of degree at least n, we impose 

deg^ / degt g + deg^ g deg^ / > n. (2) 

For a fixed value of the left hand side in Equation [51 in order to minimize the expression in Equation 
[U we need to minimize deg^ /. Therefore we set degj / as small as possible, let us call this degree e. 
Hence the optimization problem becomes 

minimize (deg^ f + e + e deg^ g + degj g) 
when deg^ / deg^ g + e deg^ g > n. 

Since one can decrease deg^, g without changing too much the left hand side of the constraint, the 
choice deg^ g = 1 is optimal. □ 

In the rest of the article we simply write d for deg^. /. The degree of g in t is then about n/d. 

Remark 2.2. We decided to optimize the degree of the product of the norms. In terms of smoothness 
probability, it is only pertinent if both norms have similar degrees. More precisely, as the logarithm 
of Dickman's rho function is concave, it can be shown that it is optimal to balance the degrees of 
the norms. Hence sensible choices of the parameters are such that de ~ ^ + e. 

We are now ready to quantify the size property for a single polynomial /. It clearly depends 
on the bound e on both deg a and deg b. In the following definition, we also take into account 
the skewness improvement as implemented in [DGV13', that is, we set the skewness s to be the 
difference between the bounds on the degree of a and of b. We can then define sigma to match the 
average degree of F{a, b) for (a, b) in a domain of polynomials of degrees bounded by [e + s/2j and 
[e — s/2j, when no cancellation occurs among the monomials of F{a,b). This translates into the 
following formal definition. 

Definition 2.3. Let / e Fq[<][a:] be a polynomial, s the skewness parameter and e the sieve size 
parameter. We define: 

cr(/, s,e)= pd^^dt max ( deg{fi) + ida + {d- i)db] , (3) 

< da < e + s/2 
< 4 < e - s/2 

with pd^^d, = (g - Ifqda+d, /q[e+s/2] + le-s/2i+2 ^ 



2.2 Root property 

As a first approximation, for a random pair (a, 6) G Fg[t]^, F(a,b) has a smoothness probability 
of the same order of magnitude as random polynomials of the same degree. Nevertheless, we shall 
show that for a fixed size property, some polynomials improve this probability by a factor of 2 or 
more. 

Consider the example of / = x{x—l) — {t^"^ — t) in F2 [t] [x] . For all monic irreducible polynomials 
i of degree at most 3, i divides the constant term, so / has two roots modulo £. For each such £ 
and for all b non divisible by £, there are 2 residues of a modulo £ such that F{a, b) = mod £. 
Therefore, for all £ of degree 3 or less, the probability that £ divides the norm is heuristically twice as 
large as the probability that it divides a random polynomial. This influences in turn the smoothness 
probability. This effect is quantified by the function alpha that we now introduce. 



2.2.1 Definition of alpha 

Introduced by Murphy |Mur99| in the case of the NFS, alpha can be extended to the case of the 
FFS. Let £ he a monic irreducible polynomial in ¥q[t] and let us call ^-part of a polynomial P, the 
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largest power of I in P. We shall prove that the quantity below is the degree difference between 
the £-part of a random polynomial and the ^-part of F{a, b) for a random coprime pair (a, b) S Vg[t]. 
Let us first properly define the average of a function on a set of polynomials. 

Definition 2.4. Let w be a real function of one or two polynomial variables v ■ TPqit] — ?> M or 
V : ¥q[t] X ¥q[t] — >■ M. Let 5* be a subset of the domain of v. For any pair (a, b) of polynomials, we 
write deg(a, b) for max(deg(a), deg(6)). If the limit below exists we call it average of v over S and 
denote it by A{v, S): 

Mv,S)= hm P^W^)<^^(^) 
^ ' ' N^oo #{s e S I deg(s) < N} 

Definition 2.5. Let L denote the set of monic irreducible polynomials in ¥q[t]. Put D = {{a, b) E 
Fg[i]^ I gcd(a, b) = 1}. Take a non-constant polynomial / e Fg[f][a:;]. When the right hand members 
are defined, we set for all £ E L: 

a,(/) = deg{e) (A{vi{P),{PeWq[t]})-A{ve{F{a,b)),{{a,b)eD}) 

where vg is the valuation at £. The infinite sum which defines a(/) must be seen as a formal notation 
and by its sum we denote the limit when 6o goes to infinity of a{f, &o) •= S^gl dcgi<ba ^tif)- 

Notation 2.6. For all irreducible polynomial £ E Fg[t], N(^) denotes the number of residues modulo 
£, i.e. g'^'^s^ 

We call affine root of / modulo £^ any r E ^qlt] such that degr < fcdeg^ and F{r, 1) = /(r) = 
mod £''. Also we call projective root of / modulo £'' the polynomials r e ]Fq[t] such that £ 



degr < fcdeg^ and F(l,r) = mod £ . Note that, when fc = 1 any affine and projective roots can 
be seen as an element of V^{¥q{t)), hence we denote them (r : 1) and (1 : r) respectively. 

Notation 2.7. We denote by S{f,£) the set of affine and projective roots modulo £'' for any k: 

S{f,£) = |(r, fc) I fc > 1, r affine or projective root of / modulo . (4) 

Proposition 2.8. Let f G Fq[t][a;] and £ g ¥q[t] a monic irreducible polynomial. Then ag exists 
and we have 

Proof. Ill order to prove the convergence of Equation [5l note that some elements of S{f,£) group 
into infinite sequences {{r^''\k)}k with r^''^ = A''~'^'> mod £''~^ . Since each infinite sequence de- 
fines a root of / in the £-adic completion of ¥q{t), there are at most d such sequences, whose 
contributions converge geometrically. There are only finitely many remaining elements of S{f,£) 
because otherwise one could extract an additional ^-adic root. This proves the convergence. 

In order to show the equality, note that we have A{v£{P), ¥q[t]) — X^fc^i Wily' ~ N{e)~i • I^ideed, 
for all fc g N, the density of the set of polynomials divisible by £'^ is the inverse of the number of 
residues modulo £'', which is q'^'^sWk _ N(^)'^. 

Let us compute a\^^„^ :— A{ve{F{a, 6)), {(a, b) G ¥q[t]'^ \ gcd(a, 6) ^ mod £}). This corresponds 
to the contribution of F{a, b) in the definition of ae. The condition gcd(a, 6) = 1 has been replaced 
by a local condition. Since we are only interested in ^-valuations, this does not change the result. 
The number of ^-coprime pairs (a, b) of degree less than kdeg£ is N(£)^'' — N(€)^'''~^. Such a pair 
(a, b) satisfies £'' \ F{a, b) if and only ii £\b and ab~^ is an affine root modulo £^ on £\b and ba~^ 
is a projective root modulo £^ . For each affine root r, the number of ^-coprime pairs (a, &) such 
that a = br mod £^ equals the number of choices for b, which is N(^)'^ — 1SI{£)''~^. Similarly, for 
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each projective root, the number of coprhne pairs (a, b) such that b = ar mod ('^ is the number 
of choices for a, which is N(^)'^ — N(^)'^~^. Hence, it follows that for each (r, fc) e S{f,i), the 
probability that the residues of a coprime pair (a, b) modulo ^'^ match the root (r, k) is given by 
the formula below, where (a : 6) = r mod ^'^ is short for r = ab^^ mod ^'^ when £ \ b or r = ba~^ 
mod i'^ when ^ | 6. 

1 N(^) 

The following equation is intuitive so that we postpone its proof until Lemma lA.ll in the Ap- 
pendix. The technicalities arise due to the fact that calling the quantities "probability" is formally 
incorrect, and must be replaced by natural densities. 



P((a:6)^rmod^'^) = ^^,^, (6) 



(/) = EZiknve{F{a,b))^k) 



-EZinMF{a,b))>k) = E(,,;.)65(/,£)P((«:fe)^^mod^'=). 

Replacing a\^l^ in formula ai{f) — j^*^"^^^ ^ deg(£)a|j^j„j(/) and using Equation [5] yields the desired 
result. 

□ 

If / has only simple roots modulo £, then by Hensel's Lemma / has the same number of roots 
modulo every power of £. We obtain the following formula. 

Corollary 2.9. Let f e Fq[a::][i] and £ a monic irreducible polynomial in ¥q[t\ such that the affine 
and projective roots of f modulo £ are simple and call ng their number. Then 

deg£ / N(£) \ 
2.2.2 The case of linear polynomials 

Showing that converges is not trivial and, to our knowledge, it is not proven in the NFS case. 
Let us first show that a{g) converges for linear polynomials g. This requires the following classical 
identity. 

Lemma 2.10. (Chapter I, \Apo90^ ) Let fi denote Mobius' function and let x be such that \x\ < 1. 
Then we have 

x^ 



Notation 2.11. We denote by Lk the number of monic degree-fc irreducible polynomials in ¥q[t] 
Theorem 2.12. Let g E ¥q[t][x] be such that deg^ g — 1. Then 

1 



"(5) = 



1 



Proof. Let L be the set of monic irreducible polynomials in ¥q[t]. We shall prove that, when bo 
goes to infinity, X^^ei dog^<bo '^^(s) tends to In Equation |S] one has n£ = 1 and therefore 

. ^ deg(^) >^ kik 

i£LAcge<bo £(EL,dcg£<6o ^ ' fe<&o 

Since kIk — f^W^^ 1 the series transforms into a double series for which we shall prove the 
absolute convergence and shall compute the sum: 



k>l h\k ^ 
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The absolute value of the term 



is bounded by 



q2k_i ■ 



It follows easily that the sum is 



bounded by Therefore, we can change the summation order: 



k>l h\k 



i>l \h>l 



Applying Lemma mTU] to x = leads to J2h>i f^W q2h]-i 



goes to infinity, Edog£<bo "^(ff) tends to J2^>i jr 



1 

9-1- 



(10) 



This shows that, when &o 



□ 



We conclude the subsection by showing the convergence of alpha. Let now C be a (singular or 
non-singular) projective curve. Call Vk{C) the set of points of C with coefficients in F^t and Pk{C) 
its cardinality. Next, call 7^[.(C) the set of points in Vk{C) whose t-coordinate does not belong to a 
strict subfield oiW^k. Finally, we denote by Pk{C) its cardinality. 

We shall need the following intermediate result. 

Lemma 2.13. Let C he projective plane curve of degree do defined over ¥q and let go = (do — 
l){do — 2)/2 be its arithmetic genus. Then, for all k > 1, 



Pl,iC) - {q" + 1) < (4.90 + 6)q^ 



(11) 



Proof. Let C be a non-singular model for C and let g be its geometric genus. We apply the Hasse- 
Weil Theorem and obtain: 

Pfc(C)-((z'= + l)| <2g.gi (12) 
Next, according to Chapter VI in [Ful69| . 

\PkiC)-Pk{C)\<go-g. (13) 

Every point {to, xo) of Vk{C)\V'f.{C) is determined by the choice of: a) a strict divisor d of k, b) an 
element to G c) a root xo of f(to,x) in F„fc. Therefore: 

q'c[ ^ 



\PL{C)-PkiC)\< J2 9^deg,(/)- 

d\k,l<d<k 



(14) 



On the one hand deg^, / < 50 + 3; on the other hand, if one calls di the smallest proper divisor 
of Ed|fc,i<d<fc9^ = 9"^ J2d\k,i<d<kl'~~- Since d | fc and d > di, | - |- is a negative or nuh 
integer. Therefore this sum is bounded by q~ X]i>o 1^^ — 1~ ^i>o * ~ 2q~ . But di > 2, so 



\PUC) - Pk{C)\ < 2q2 deg, / < 2(.go + 3)?^ 
The result follows from Equations [121 HSl and [151 



(15) 
□ 



The following theorem shows that a{f) is well defined. More specifically, call L the set of 
irreducible monic polynomials in [t] . We show the existence of alpha by showing the convergence 
of := T,e(.LAcgi<b„(Mf) - Mx))- 

Theorem 2.14. Let f G Fg[t][x] an absolutely irreducible separable polynomial. Then the sequence 
Vbo defined above converges. If one defines alpha by a{f) = limf,Q_j.oo J2dcgi<bo fei '^f-if)' then there 
exist explicit bounds on a that depend only on deg^ /, degj / and q. 



6 



Proof. Call do — deg / the degree of / as a polynomial in two variables and go — {do — l)(do ~ 2)/2. 
Let Lo be the set of irreducible divisors of Disc(/) • fd- Call 60 the largest degree of elements in Lq. 
Let k > bo- We are in the case of Corollarv l2.9l hence Equation [8] gives 

eeL,dcgt=k 

= -^r^ (#{(^' ^) I deg(^) = k, fir) = mod 1} - h) . 



Each pair , r) as in the equation above corresponds to exactly k points on the curve C associated 



to /. Indeed, each £ has exactly k distinct roots in F^t. Hence we have Ik — ■^P^(P^(Fg)) and 



#{(£,r) I f{r) = mod (.) ^ ^Pfe(C), and further; 

|#{(^,r)|/(r) = mod£}-/J 



1 



P'k{C)-P'k{¥\¥,)) 



Finally, Lemma [2. 131 applied to C and P^(Fg)) respectively gives 



Pl{C)-{q'' + 1) < (4.90 + 6) vV 



P^(pi(F,))-((j'= + l) 



< 6a 



(16) 

(17) 
(18) 



where go is the arithmetic genus of C. 
Hence |#{(^,r) | /(r) = mod i} 



Ik 



k\^< (4.90+12)^ 



The series ^ 



fc>i 



1 



is equivalent to the series which converges. Therefore the sequence Vbg converges when 

bo tends to infinity. 

For a given pair do and 9, one can clearly bound the set Lo- For all £ ^ Lo, by Proposition 12. 8( 
S{f,£) is formed by at most deg^. / < do infinite sequences and a finite number of additional 
elements. We are thus left with finding a bound for the roots which do not extend into ^-adic roots. 
By Hensel's Lemma, if a root (r, k) does not lift to an £-adic one, we have /'(r) ee mod £''- This 
implies Disc(/) = mod £'^ which gives a bound on k. Therefore, alpha admits an effective bound 
depending exclusively on 9 and do- □ 

Example 2.15. Following the proof of the previous theorem, we can not only find a bound on a, 
but also evaluate the speed of convergence. Take 9 = 2, and let / G Fq[t][a;] such that deg^. / = 6 and 
g — 19 and suppose that Lo contains only polynomials of degree less than 15. Using Equations [T51 
and[T7]in the proof above and the exact formula for Ik we can prove that «(/) is computed up to 
an error of 0.567 if we sum polynomials £ up to degree 15 and we reduce the error to 0.097 if we go 
to degree 20. 



2.3 Cancelation property-Laurent roots 

Consider the polynomial f = + t^x + 1 G F2[t][x]. For all (a, b) S F2[i]^, if no cancellation occur, 
the degree of F{a, b) = + t^ab^ + l)^ is max(deg a? , deg(t^a6^), deg 6'^). One can easily check that 
the degree of F(a, b) is lower than this value if and only if deg a — deg 6 equals 1 or —2. Moreover, 
in the first case the decrease is at least 2 while in the second case it is at least 1. These conditions 
can be better explained thanks to the Laurent series. 

We call Laurent series (in 1/t) over ¥q any series X]n>no ^np" with no G Z and coefficients a„ in 
Fg. We make the common convention to call degree of a rational fraction /1//2 with /i,/2 S ^q[t\ 
the difference deg /i — deg /2 . The degree of a Laurent series is then defined as the degree of any 
of its nonzero truncations e.g t + l + l/t^ + --- has degree 1. Equivalently, it is the opposite of the 
valuation of the Laurent series in 1/t. We call Laurent polynomial a pair (r, m) such that r S Fg(t), 
m is an integer and r is the sum of a Laurent series whose terms are null starting from index m + 1. 
We may also use r + 0{ ) for writing the Laurent polynomial (r, m). 
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Formally, a pair (a, 6) has a "decrease in degree" if max^ deg(/ia'6'*^') is strictly larger than 
deg F{a, b). Note that F{a, b) has a decrease in degree if and only if 6 7^ and the first terms of the 
Laurent series ^ match those of a Laurent polynomial r with the property given in the following 
definition. 

Definition 2.16. Let / e Fq[t][a::] be a polynomial and call d its degree in x. Let {r,m) be a 
Laurent polynomial. We say that (r, m) is a Laurent root of / if 

max degify) - deg/(r) > 0. (19) 

ie[Q,d] 

We call gap of (r, m) the least value in the left hand side of the inequality above when we replace r 
by any Laurent series extending r. A Laurent series such that all its truncations are Laurent roots 
is called an infinite Laurent root. 

In the example above, p- + -j^ + O(p-) is a Laurent roots of gap 7 and it extends into an infinite 
Laurent root. Also t + 0(1) is a Laurent root of gap 2 that is not the truncation of any Laurent 
root with a larger m. It also shows that the gap is not directly connected to the number of terms 
in the Laurent polynomial. 

2.3.1 Computation 

One can compute every Laurent root in two steps. First, one computes the Laurent roots of type 
Xt^ with A is in and S is an integer. For this, call Newton polygon of /, with respect to valuation 
— deg, the convex hull of {{d—i, deg(/i)) | i G [0, d]}. Chapter II in |Neu99| shows that 6 must be an 
integer slope of the Newton polygon of /. Next, to extend a Laurent root r = anof^" + • • • + Omp^ 
with Qm 7^ to a root with precision larger than m, one computes the Laurent roots Xt^ of f{x + r) 
for which 6 is an integer such that S < —to. Note that this corresponds to make a Hensel lift with 
respect to the valuation — deg. 

In order to compute the gap of a Laurent root (r, to), note that in Equation 1191 the term 
maXjg[o,d] deg(/ir*) depends only on the leading term of r. Hence the problem is reduced to that of 
computing the maximal degree of f{R) for the Laurent series R which extend r. For this, one sets 
an upper bound and then tests Laurent polynomials with increasingly more terms and reduces the 
upper bound until they produce a certificate. 

2.3.2 Definition of aoo- 

For each Laurent root (r, to), we can compute the proportion of pairs (a, 6) on a sieve domain 
such that the first terms of a/b match (r, to). Recall that a sieve domain of sieve parameter e and 
skewness s corresponds to all the pairs (a, b) with deg a < [e + s/2\ and deg b < [e — s/2j . 

Lemma 2.17. Let r + 0{-p^) be a Laurent root of f G ¥q[t][x]. Call Nr — deg(r) + m, the number 
of terms of r other than the leading one. Then the proportion of pairs (a, 6) on a domain of sieve 
parameter e > A^^ + | degr| and skewness parameter s such that the Laurent series a/b matches 
r + O(^) is: 

Proof. The proportion of pairs (a, 6) such that dega — deg 6 = degr is approximated by (^^)^- 
' X)i>o =^q7j-(7^'*^'^°8'"' . See Figure[T]for an illustration. The relative error made is 

0{l/q^'') and corresponds to the fact that the series ^ must be truncated at i = e — | degrj and 
to the fact that for dega,deg5 < \s\ there is no pair (a, 6) such that dega — deg& = s. Next, only 
a fraction of these pairs have leading coefficients such that a/b = r{l + 0{^)). Finally, when 
a / b — r{l + 0{\)) , the condition a/b = r + 0{ ^,}+i ) = r(l + 0( ^n].+i )) can be expressed as a system 
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of Nr linear equations, that is triangular on the variables of a. Therefore, a pair with deg a — deg b = 
degr and a/b — r(l + 0{l/t)) has probability q^^'' to satisfy a/b = r(l + 0{ ^nI+i ))■ This leads to 
the proportion announced in the statement. Note that the condition e > Nr + | degr| guarantees 
that the polynomials a and b have sufficiently many coefficients so that the linear conditions make 
sense. □ 

We can now define a function which, for large sieve domains, measures the average degree gained 
due to the cancellations. 

Definition 2.18. For any Laurent root r + 0{ ^„}+i ) we call trunc(r) the Laurent polynomial 
obtained by deleting the term in -p^. If trunc(r) 7^ we write j{r,m) for the gap of r + 0{ ^„}+i ) 
minus the gap of trunc(r) + 0{^). Otherwise j{r,m) is the gap of r + 0{-p^). We call alpha 
infinity the following quantity 

«oo(/,s):= Yl -7(r,TO)^g-^'-l-dcgMl^ (20) 

(r,m) Laurent root 

Consider the case when all the Laurent roots of / extend infinitely into the Laurent series ri, 
r2, . . ., r/j. If, for all i, each new term of a/b which matches r,j increases the gap by one, then we 
obtain the simpler formula below. 

h 

aoo(/,s) = ^5]g-l^-^^^'-< (21) 

As a particular case, it is clear that the polynomials of degree 1 in a; have exactly one infinite 
Laurent root. If one sets the skewness s = deg^ /, then aoa{f,s) = —-^jrzj- As a second example, a 
degree-6 polynomial / over F2 which has infinite Laurent roots of degrees 3, 2, 1, 0, —1 and —2 has 
aoo(/,0) = -1.75. 

Example 2.19. A special class of polynomials are those corresponding to Ca,b curves, which were 
proposed for the FFS in |Mat99| . If / is a Ca,b polynomial and if we denote a = deg^, / and 
b = degj /o - deg /a, then for all i € [0, a - 1] we have deg < deg /a + (a - i) ^ . 

Suppose that a Ca,b polynomial / had a Laurent root r. If degr < ^, then max{deg/ir* | i £ 
[l,a]} < deg/o. If degr > ^ then deg f^r^ dominates all the other terms of /(r), so / has no 
Laurent roots. Hence, for any s, aaoif,s) — 0. 



2.3.3 Constructing polynomials with many Laurent roots 

One can easily check that, if a polynomial / = /^x* satisfies deg(/d) = 0, deg{fd-i) — s for 
some s > and deg(/i) < (d— i)s for all i E [0, d — 2], then / has a Laurent root of degree s. This 
can be generalized to up to d roots. 

For any edge {vi, i) {vj,j) of the Newton polygon we call length the quantity \i — j\. 

Proposition 2.20. (Section II.6. )Neu99^ ) If f £ ¥q[t][x\ is a polynomial, each edge of length 1 in 
the Newton polygon corresponds to an infinite Laurent root for f . 

For example, the polynomial / = x"^ + t^x^ + t^x^ + {t^ + l)x'^ + t^x^ + {t^ + t + l)x'^ + t^x + 1 
has a Newton polygon with 7 edges of length 1 and therefore 7 infinite Laurent roots. 

Note however that the converse of the Proposition 12.201 is false in general: a polynomial might 
have infinite Laurent roots which cannot be counted using the Newton polygon, e.g. for the poly- 
nomial / above, :— f{x + 1'^) also has 7 infinite Laurent roots, although its Newton polygon has 
no edge of length 1 . 
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Figure 1: A domain of pairs (a, b) in lexicographical order having skewness S. We write the quantity 
deg a — deg b — S for each region. 
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3 The combined effect of the properties which influence the 
sieving efliciency 

The previous sections identified three elements which affect the sieve and defined associated mea- 
sures: (7 for the size property, a for the root property and a^c for the cancellation property. The list 
might be extended with other properties and the quantifying functions can be combined in different 
fashions in order to compare arbitrary polynomials. In this section we define two general purpose 
functions based on the three properties above and show their relevance through experimentation. 

3.1 Adapting Murphy's E to the FFS 

As a first function which compares arbitrary polynomials, we adapt Murphy's E, already used for 
the NFS algorithm (Equation 5.7, |Mur99j ) . Heuristically, E uses Dickman's p to approximate the 
number of relations found by / and g on a sieving domain. 

Definition 3.1. Let f,g £ ¥q[t][x] be two irreducible polynomials, s an integer called skewness 
parameter, e a half integer called sieve parameter and (3 an integer called smoothness bound. Let 
D{s, e) be the set of coprime pairs (a, b) E Eq[<]^ such that < deg(a) < [e + |J and < deg(6) < 
[e — |J . We define: 

^ degf(a,b)+a(/) ^ f degG{a,b) + a{g) \ 
E(/,5,s,e,/3) = 2^ pi l-p( I. 

(a,6)GD(s,e) ^ ' ^ ^ ^ 

Unlike the situation in the NFS case, where E must be approximated by numerical methods, 
in the case of the FFS one can compute E in polynomial time with respect to deg(/), deg{g) and 
e + \s\. Note that p can be evaluated in polynomial time to any precision on the interval which is 
relevant in this formula. 

We recall that we focus in this work on the case where the polynomial g is linear, as in [JL02]. 
More precisely, we assume that g = gix + go is chosen with go of much higher degree than gi. In 
this case, the algorithm goes as follows: 

1. compute the Laurent roots of / up to [(i(e + §) + deg^ /J terms; 
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Table 1: Choosing the best skewness using E. The parameters are set to e = 24.5 and /3 = 22. 



s 


-113 5 7 


lQ-^E{f,g,s,e,(i) 


2.54 3.31 3.46 2.88 2.12 



2. for each da < + f J ; < [e — |J and i e N, use Lemma 12.171 to compute the number 
n{da, db, i) of pairs (a, b) such that deg(a) = da, deg(6) = db and deg(F(a, 6)) = i; 

3. compute 

2_, n{da,db,i)p\^ J-Py p j- (22) 

One can use Murphy's E to choose the optimal skewness corresponding to a pair {f,g) of 
polynomials. 

Example 3.2. Consider for instance the two polynomials used for the computation of the discrete 
logarithm in GF{2^^^): f = + {t^ + t + l)x^ + {t^ + t)a;+0xl52a and g = a; - t^°^ - 0x6dbb 
written in hexadecimal^ notation |BBD+12] . They used the smoothness bound 22 and most of the 
computations were done using special-Q's {q,r) with degg = 25. The pairs (a, 6) considered for 
each special-Q were (zoq + jai, i^o + J^i) with (ao, &o) and (ai, hi) two pairs on the special-Q lattice 
and j,j were polynomials of degree at most 12. Hence, the pairs (a, 6) considered were such that 
dega + deg& = degq + 24, so e = (dega + deg6)/2 = 24.5. Note that, if a and h have maximal 
degree on our set, the difference dega — deg6 cannot be even. Table[T]shows that the best skewness 
value is 3. 

Note though that in |BBD+ 12] one started by experimentally choosing the best skewness for 
polynomials of a given bound on the degrees. Then they selected polynomials which, for a given 
value of s, minimize the value of epsilon, the function that we define below. 

An alternative to E: Epsilon Recall that a is the degree of the norm when no cancellation 
occurs, a is the degree gained due to the modular roots and is the degree gained thanks to 
cancellations. It seems natural that their sum is the degree of a polynomial which has the same 
skewness probability as F{a, h) for an "average" pair (a, h) on the sieving domain. 

Definition 3.3. For a polynomial / G Fq[t][a;], a skewness parameter s and a sieve parameter e, 
we call epsilon the following average degree 

e) = "(/) + aoo(/, s) + <T{f, s, e). 

Epsilon can be used to estimate the speedup of a polynomial with good properties. For example 
if the smoothness bound is 28 and two polynomials have the value of epsilon equal to 107 and 109 
respectively, then we expect a speedup of /9(107/28)//3(109/28) ~ 1.19. 

Comparing e and E Since the subroutines necessary in the computation of e are equally used 
when evaluating E, in practice epsilon is faster to compute than E. The advantage of E is that it 
is more precise, but the experiments of the next section will show that epsilon is reliable enough. 

^Each polynomial £ of F2[t], i = Y2i with £i £ {0, 1}, is represented by base-16 notation of the integer £i2^. 
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Figure 2: Distribution of cpsilon on a sample of 20000 polynomials of F2[i][a;] of degree 6 in x and 
12 in t. 

3.2 Experimental validation 

The implementation used in the experiments is the one described in |DGV13| . which is freely 
available at [BFG+1. To our knowledge, no other press-a-button implementation of the FFS is 
publicly available. In addition, this implementation does relatively few modifications which could 
loose relations, making a theoretical study inexact. 

The real-life efficiency of a polynomial is measured either by the number of relations per second, 
by the total number of relations, or as the average number of relations per special-Q. We kept the 
last one as a measure of efficiency since the software offers an option to reliably measure it and 
because it considers only the polynomial properties rather than the implementation quality. 

Experiment 1. We selected a sample of polynomials / after evaluating epsilon for a range of 
polynomials considered one after another in lexicographical order starting from + {t^ -\-t + \)x^ + 
{t^ + -\- t + l)x'^ + tx + t^^ . Note that the choice of the starting point guarantees that the 
polynomials considered have at least one infinite Laurent root. Since the distribution of epsilon was 
that of Figure [21 most of the polynomials tested had values of epsilon in a narrow interval. This 
lead us to select only one polynomial in each interval of length 0.01, to a total of 119 polynomials. 
Next we extended the sample with 60 polynomials starting from x^ + t^x^ + [t^ + \)x'^ + t^x^ + \. 
For each polynomial / we associated a random monic linear polynomial g suited to the FFS, having 
degree in t equal to 104. Indeed, as shown in Theorem 12.121 and in section [2.3.21 respectively, linear 
polynomial have the same values of a and a^o respectively. 

We set the parameters as follows: I = J = 12, fbbO = fbbl = 22, IpbO = Ipbl = 28, threshO = 
threshl = 100, sqside — 1. The polynomials q used in the special-Q technique were the first 
irreducible ones starting from t^^ . We called the option "reliablenrels" which tests as many values 
of q as needed in order to obtain a measurement error of ±3% with a confidence level of 95%. The 
skewness parameter was set to S" = 3 because, for the finite fields where the degree- 6 polynomials 
are optimal, this is a sensible choice. Finally, the parameter sqt was set to 1 so that, for most 
special-Q's, the sieving domain was such that dega < 26 and deg6 < 23. 

The results plotted in Figure [3] indicate that the sieve efficiency is not far from a strictly decreas- 
ing function of epsilon. To illustrates this, we plotted a decreasing function that fits our results, 
such that the relative error of our measurements is always less than 5%. 
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Figure 3: Epsilon and sieve efficiency for tire polynomials / in Experiment [TJ The function ft, is a 
function of type a + bx + clogx, with no special significance. 




Finally, one can see that a sensible choice of the polynomial can save a factor 2 in the sieve time 
when compared to a bad choice. 

3.3 Correlation between / and g 

A standard heuristic states that the probabilities of F(a, b) and G{a, b) to be smooth are inde- 
pendent, e.g. Murphy's E multiplies the two probabilities. The inexactness of this approximation 
could be called correlation property. According to Experiment [1] the correlation property has a 
small effect on the sieve, so that we bound ourselves to illustrate it by an example and a practical 
experiment. 

Example 3.4. Let / = x'^ - 1'^ (t + 1) , gi =x-{t^+ty and 32 = x~{t^ +1+1^ . Let F, d and 
G2 be the homogenizations of /, gi and (72 respectively. Note that, for coprime pairs (a, 6) S 
F{a,b) is divisible by t if and only if a = mod t. For these pairs we have Gi{a,b) = mod t 
whereas 6*2(0, 6) ^ mod t. In short, gi increases the number of doubly smooth pairs whereas 52 
that of pairs which are smooth on the rational or the algebraic side, but not on both. 

If deg^ g — 1, then every prime power of Res(/, implies a correlation between the events 
I F{a, b) and i'^ \ G{a, b) on a domain of pairs (a, b). Table [2] summarizes an experiment in which 
we compared different pairs (/, g) with / having similar values of e. We selected three polynomials / 
of the form / = f+fo^it\^f = x^+tx^+{t+l)x'^+{t^+t+l)x^s.nA we associated to each one a linear 
polynomial g of the form g — g + goo with g — x — t^''^'^—t^'^ + t^^ + t^^+t^^+t^. Instead of imposing 
that Res(/, g) has an irreducible factor of degree 619 as in the previous experiment, we aimed to find 
polynomials g such that Res(/, g) has first no, then many, small factors. The experiment indicated 
that the correlation property explains part of the error observed in Experiment [1] bringing it close 
to 3%, which is equal to our measurement error. 

Since it is easy to associate many linear polynomials g to a unique / and since linear polynomials 
have the same value of epsilon, it is interesting to select g such that Res(/, g) has many small 
factors. Nevertheless, / and g are chosen such that Res(/, 5) has degree c?([^J + 1) and we require 
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Table 2; Influence of the linear polynomials g on the sieve efficiency. / — / + /o and g — g + goo 
with / and g given in section 13.31 



fo 


.900 


small factors of Res(/, 5) 


efficiency (rels/sq) 


0x19 


0xb2 




3.3 


0x12 


Oxbf 




3.4 


0x12 


0xb8 




3.4 


0x12 


Oxae 


t-{t + l) 


3.5 


0x12 


OxaO 


t-{t + l) 


3.5 


0x12 


Oxbb 


t-{t + l)-it''+t' + 1) 


3.5 


Oxle 


Oxbb 


t-{t + l)-{t^ +t+l)-{t^ + ■■■) 


3.6 



an irreducible factor of degree n, leaving little room for additional factors. Moreover, when / 
imposes an extra factor to Res(/, 5) (for example by having 1 projective and q affine roots modulo 
t) , depending on the congruence of n modulo d, it can be impossible to choose g of optimal degree 
in t. See 15.21 for an example. 

3.4 A sieve algorithm for alpha 

After we showed the relevance of epsilon, the polynomial selection comes to evaluating epsilon on 
a large set of polynomials. One can try various ranges of polynomials / = given by some 

degree bounds on their coefficients fi, which optimize sigma and/or impose a number of Laurent 
roots, as shown in 12.3.31 The most time-consuming part of the computations, the evaluation of 
alpha, can be done on each range by a sieving procedure. 

The idea is that, for each irreducible polynomial i € Vq[t], we compute ai for all the residue 
polynomials / of ¥q [t] [x] modulo i and then we update the values of for all the polynomials / 
in the range. 

Let d, Co, ■ ■ ■ , Cd-i and be integers. We consider the range of the polynomials / = X]f=o ^ 
¥q[t] [x] such that for i G [0, d], degj fi < e^. Call H the set of values taken by the tuple {fd, ■ ■ ■ , /2) 
and T those taken by (/i,/o)- Let L be the set of irreducible polynomials up to a given bound. 
Let fcmax be a parameter and let us suppose that, for all £ G L, all the roots r mod t'' with 
deg(^'^) > fcmax extend indefinitely. 

For an irreducible polynomial £, Algorithm [T] below computes ae{f) for all / in the range and 
can be a subroutine to computing a{f) for the same range. We denote by residues{£^) the set of 
polynomials in ¥q [t] of degree at most k deg £ — 1. 

The correctness of Algorithm [T] follows from Proposition 12.81 For a fixed value of fcmax, the 
complexity per polynomial is 0(1), as the most time-consuming steps are those in lines 8 and 10. 
For comparison, in the naive algorithm, for each polynomial, one needs to find the roots modulo 
£, which takes a non-constant polynomial time in d -I- deg(-^). In practice, Algorithm [T] showed to 
be much faster, as Paul Zimmermann used it to compute ai{f), for all the irreducible polynomials 
£ with deg£ < 6, on the range of the 2^^ monic polynomials / G F2[t][x] of degree 6 such that for 
ie[0,6],degt/, <12-2i. 

4 Sieving with inseparable polynomials 
4.1 Particularities of the inseparable polynomials 

Despite the possibility of adding new technicalities, the inseparable polynomials have been pre- 
ferred in two record computations |HSW"'"10| . |HSST12] . Moreover, the Coppersmith algorithm, 
implemented in |Tho03) . can be seen as a particular case of the FFS, using inseparable polynomials. 
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Algorithm 1 The alpha sieve 



1: 


InitiaHze ao to a vector of value dee(£)/(N(^) 


-1) 


2: 






3: 


for (/(J, /d-i, . . . , /2) in do 




4: 


for /c in [l..fco] and r in residues (f*^) do 


- o hr' mod do 


5: 


for f f 1 , fn) in T such that fi ?■ + fn = - 


O. 






7. 
1 . 


11 Al <v /vQ tlltJll 




8: 


aAf) ^ aAf) - des(£)N(e)'^~ 


'^/(nU) + 1) 


9: 


else 




10: 


af(/)^a^(/)-degWN(£)2~ 


-V(N(£)2 - 1) 


11: 


end if 




12: 


end for 




13: 


end for 




14: 


end for 





In order to present the Coppersmith algorithm from this point of view and in order to compare 
inseparable polynomials to separable ones, we start with their definition, followed by their main 
properties. 

Definition 4.1. An irreducible non-constant polynomial / e Fg[i][a;] is said inseparable if /' = 0, 
where /' denotes the derivative with respect to x. 

For every inseparable polynomial /, there exists a power of the characteristic of F^, d, and 
a polynomial / G F^[i][a;] such that / — f{x'^) and /' ^ 0. This simple property allows us to 
factor any irreducible polynomial i in the function field of / in two steps. First we factor £ in 
the function field of /, then we further factor every prime ideal I of /. The main advantage is 
that some prime ideal factorization algorithms work only for separable polynomials (for example 
Magma implements the function fields only in the case of separable polynomials [BCP97| ). The 
factorization of the ideals [ of / in the function field of / is easy using the following result. 

Proposition 4.2. (Corollary X.1.8. ]Lor96^ ) Let p > be a prime and q and d two powers of p. 
Let K /¥q{t) be a function field. LetK/K be an extension of polynomial x'^ — Oi with 9 1 G K. Then 
every prime ideal [ of K decomposes as 

IOk = S!^ (23) 
for some prime ideal £ such that £P| ~ {. 

In the FFS algorithm, it is required to compute for each smooth element a — 60 of the function 
field of /, the valuation of every prime ideal £ in the factor base. For this, we start by factoring 
(a — bO)'^ in the integer ring of the function field L[ of /: 

{a-hetOf,^{a'-b'9,)O^^X[^^ 

i 

and then we obtain (a — b6)OK — Yii ^i' where the are such that UOk = 2,f. 
4.2 Speed-up in the FFS due to the inseparabihty 

Definition 4.3. Let / and g be two polynomials of F^[^][x] such that Res(/, g) has an irreducible 
factor of degree n. Assume that deg^ 5 = 1 and write / = f{x'^) for some separable polynomial / 
and some integer d which is either 1 or a power of char(Fg). We call free relation any irreducible 
polynomial £ e Fg[t] such that t \ Y)\sc{f)fd and (/ mod splits into degree-1 factors. 
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Table 3: Number of free relations of a pair f,g with / — /{x"^), f separable and deg{g) — 1. 
N is the number of irreducible monic polynomials of degree below the smoothness bound. The 
computations assume that #Gal(/) = (deg/)!. 



char(F,) 


d 


deg(/) 


#{factor base} 


#{free relations} 


any 


1 


6 


2N 


7V/720 


2 


2 


3 


2N 


N/6 


3 


3 


2 


2N 


N/2 


any 


1 


8 


2N 


A^/40320 


2 


2 


4 


2N 


iV/24 


2 


4 


2 


2N 


N/2 


2 


8 


1 


2N 


N 



Clearly each free relation of norm less than the smoothness bound creates an additive equation 
between the virtual logarithms of the ideals in the factor base. 

The number of free relations is given by Chebotarev's Theorem as follows. First note that, 
due to Proposition 14. 2[ a polynomial £ is a free relation for / if and only if it is a free relation 
for /. Then, the proportion of free relations among the irreducible polynomials is, according to 
Chebotarev's Theorem, asymptotically equal to the inverse of the cardinality of the Galois group 
of the splitting field of /. Call N the number of monic irreducible polynomials in ¥q[t] of degree 
less than the smoothness bound. Then, the number of free relation is: 

N 

#|free relations} = -. (24) 

#Gal(/) 

We compare this to the cardinality of the factor base. Since the cardinality of the rational 
side is N and / has as many ideals as /, it is enough to evaluate the cardinality of the algebraic 
side. According to Chebotarev's Theorem, the number of pairs {i,r) such that /(r) = mod £, 
deg r < deg £ and deg £ is less than the smoothness bound is xN where x is the average number of 
roots of / fixed by the automorphisms of the splitting field of /. It can be checked that each root 
of / is fixed by a fraction l/deg(/) of the automorphisms, so x = 1- Hence, asymptotically the 
factor base has 2N + o{N) elements. 

Heuristically, Gal / is the full symmetric group for all but a negligible set of polynomials /, so 
most often we have # Gal(/) = deg(/)!. We list the results for deg / equal to 6 and 8 in Table |3l 
The case in which d = 3 and deg / = 2 brought a |-fold speedup in [HSW"*" lO] . 

Coppersmith algorithm The case d — 8 and deg f — 1 corresponds to the Coppersmith algo- 
rithm. Indeed, since half of the relations are free relations, the sieve is accelerated by a factor of 2. 
Moreover, since deg(/) — 1, the free relations are particularly simple, linking exactly one element in 
the rational side to one element in the algebraic side of the factor base (Proposition 14. 2p . Therefore 
one can rewrite the relations using only the elements in the rational side, hence speeding up the 
linear algebra step by a factor of 4. 

4.3 Root property of inseparable polynomials 

Despite the fact that the inseparable polynomials are relatively few, being possible to exhaustively 
test them, it has its own interest to understand why inseparable polynomials have a bad root prop- 
erty and in particular, why the alpha value of many polynomials used in the Coppersmith algorithm 
is 2. Note that our proof that alpha converges covers only the case of separable polynomials. In 
this section we give some results on their root property. 
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First, the number of pairs {£, r) with £ irreducible and r a polynomial of degree less than deg(£) 
such that /(r) = mod £ has a narrower range of values than it does for the separable polynomials. 
Indeed, as shown by the following result, this number corresponds to the number of roots of /. The 
bounds in Theorem 12.141 when written explicitly, are narrower for polynomials of degree deg(/) 
than for those of degree deg/. For example, if / is linear, this number is a constant. 

Lemma 4.4. Let f G Fg[i][a;] be a polynomial, d a power of the characteristic of¥q and f ~ f(x^)- 
Let £ be an irreducible polynomial in ¥q[t]. Then there is a bijection between the sets {f G ¥q[t] \ 
degf < deg^, /(f) ee mod £} and {r e ¥q[t] \ degr < deg^, /(r) = mod £}. 

Proof. The non-null residues of £ form a group of cardinality N(^) — 1, which is coprime to q and 
hence to d. Therefore any root f accepts one and only one d*'' root modulo £. □ 

The second reason for having bad values of alpha is that most of the roots modulo irreducible 
polynomials £ do not lift to roots modulo £'^. Recall the following classical result. 

Lemma 4.5. Let £ e ^^[i] be an irreducible polynomial. Write (Fg[t]/(£^))* for the group of 
residues modulo £^ which are not divisible by £. Put U = {e^'^) | e £ (FJi]/(£2))*} and V ^ 
{1 + £w I deg w < deg £} . Then we have 

i¥q[t]/{£')y ^UxV. 

The group U has order N(^) — 1 which is coprime to d, so d^^ roots always exist and are unique 
in U. On the other hand, in V, only the neutral element is a d-th power. As a consequence only a 
fraction l/4fV = 1/N(£) of the residues f modulo £^ can have d^^ roots modulo Let us make 
the heuristic that the roots of / modulo £^ are random elements of ¥q[t]/{£'^). Then only a small 
fraction of the roots of / lift modulo squares of irreducible polynomials and, for a non negligible 
fraction of polynomials / no root r modulo some irreducible polynomial £ lifts modulo £'^. 

Among the Coppersmith polynomials /, i.e. such that / is linear, many / are such that no 
modular root of / lifts modulo squares. Let us compute the value of alpha in this situation. 

Lemma 4.6. Let f be a linear polynomial of¥q[t][x], d a power of the characteristic of¥q and put 
f = f{x'^). Assume that there is no pair of polynomials £ and r with £ irreducible and r of degree 
less than that of £^ such that f{r) = mod £'^ . Then we have 

«(/) = ^. 
q - 1 

Proof. By Lemma 14.41 for all / has exactly ni — 1 affine or projective roots modulo £. By 
Corollarv l2.91 for all irreducible polynomial £ we have 

atu) N(^)N(^) + iy ^g2dcg£_i- 

Hence we obtain a{f) = 2^X]fc>i J^^- 1 ^ with the number of irreducible monic polynomials 

of degree k in ¥q [t] . The sum in the parenthesis was computed in Proposition 12.121 and equals 
l/{q — 1). This completes the calculations. 

□ 

5 Applications to some examples in the literature 
5.1 Thome's record using the Coppersmith algorithm 

Thome |Tho03| solved the discrete logarithm problem in F2607 using the Coppersmith algorithm. 
Following this algorithm, one sets g = x — t^^'^ and f ~ x'^ + tX for some polynomial A G Fg [t] such 
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«(/) 


aoo(/, s) 


s,e) 




E{f,g,s,e,(3) 


efficiency 


/o 


1.27 





108.12 


109.39 


1.82-10** 


15.2 


/l 


-1.05 





108.42 


107.36 


2.10-108 


18.8 



Table 4: Coppermitli polynomials for F2607. The parameters in the table are s — 7, e ~ 24.5 and 
(3 — 28. The efficiency, measured in rels/sq, uses the parameters in Experiment [1] 



f,9 


«(/) 


aoo(/, s) 


o-(/,s,e) 


e(/,s,e) 


E{f,9, 


s,e,/3) 


efficiency 




2.15 





122.33 


124.46 


8.54 


10« 


66.0 


fa, 93 


-0.24 





123.66 


123.36 


8.64 


108 


73.8 




-0.10 





123.66 


123.42 


9.49 


108 


76.0 



Table 5: Classical FFS polynomials for F2607. The parameters are s = 1, e = 24.5, /3 = 28. The 
efficiency, measured in rels/sq, uses the parameters in Experiment [1] 

that + A is irreducible. The polynomial Aq = + t'^ + + +t+l used by Thome minimizes 
the degree of A. If one searches for an alternative, it is neccessary to increase deg^ /, but this is 
possible without affecting much the size property. Indeed, the sensible choice is to set the skewness 
s to 7, so sigma does not vary much if one increases deg/o. By testing the polynomials A with 
deg A < 18, we determined that the best alpha corresponds to /i = x"^ + t{t^^ + 1^'^ + 1^^ + 1"^ + 1'^ + 1) . 
We compare the two polynomials in Table |4] using the functions defined in this article as well as the 
sieve efficiency measured with the implementation of [ DGV13] and the parameters in Experiment [TJ 



5.2 Joux-Lercier's implementation of the classical variant of the FFS 

Joux and Lercier [JL021 IJL07] considered the fields ¥2^ with n = 521, 607 and 613. For n = 607 
they set f2 = + x + t'^ + 1 and 32 = (t^^^ + + f + + + l)x + 1. If one searches for an 
alternative, the sensible choice is to improve the root property without changing the size property. 
Since degj /2 = 2 we tested all the polynomials whose degree in i is 1 or 2. 

Experiment 2. There are 2^® polynomials / such that degj / < 2, out of which 2^^ have degj / < 1. 
There were 1776 irreducible polynomials with deg^ / < 1 whose alpha is below 3. There were 650 
irreducible polynomials /, with degj / < 2, whose alpha is negative and such that the partial sum 
of alpha up to degree 6 is less than 0.5. 

The best 10 values for e with skewness s — and sieve parameter e = 24.5 were all obtained 
for polynomials / with degj f — 2. The best value was that of /a = (t^ + t)x'^ + {t"^ + t + l)a;* + 
{t + l)x^ + t^x^ + t^x + . We could not associate a linear polynomial g with degj g = 121 because 
Res(/, g) is always divisible by t (see 13.31 for more details), hence we took 53 = cc + t^^^ + t^^ + 
t^^ + + + + t'^. The best / for which we could select a linear polynomial g of degree 121 
was fi ^ {t"^ + t + l)x^ + (t^ + i + l)a;4 + x^ + {t'^ + t + l)x'^ + {t"^ + t + l)x + +t, for which 
we took 54 = x + t^'^^ +t^'^ + + + + t'^ + I. In Table [5] we compare (/a, 33) and (/4,54) to 
(/2,52)- Note also that all the polynomials / tested have a small genus, which could explain the 
small variance of alpha when deg^ / < 2. 

5.3 Joux-Lercier's two rational side variant 

We recall briefly the "two rational sides" variant of |JL06) . and study its properties according to 
our criteria. This variant selects two polynomials / = 71(2;) — t and g = x — ^2{t) for some 71 and 
72 in Fg[i]. Then one collects coprime pairs {a{t),b{t)) £ Fg[t] such that both 

a(7i(x)) - xb{ji{x)) and a{t) - 72(t)6(i) (25) 



18 



f,g 


«(/) 


aoo(/, s) 


s,e) 


e(/,s,e) 




s, e, /3) 


efficiency 


n 


1.33 





94.00 


95.33 


1.03 


108 


14.6 


fs 


0.29 





94.75 


95.04 


1.23 


108 


17.0 




-3.67 





96.75 


93.03 


1.61 


108 


21.3 



Table 6: Polynomials / for fields of characteristic 3. The last column was obtained using same 
software as in Experiment [T] and with parameters fbb0=fbbl=14, lpb0=lpbl=17, S=l and qO = t^^ . 

are ^-smooth for some smoothness bound /3. It can be easily checked that the expressions in 
Equation [25] have precisely the same degrees as in the classical FFS where we consider the norms 
of a — 6a; with respect to the function fields of / and g when deg^ f ~ I and deg^ 5 = 1- Therefore, 
this variant does not overpass the classical one in terms of size property. 

As for the root properties, note that the expression in Equation [21] which is a polynomial in 
¥q[t\ is the norm of a — 6a; with respect to the linear polynomial g, so its alpha value is constant 
and equal to one of the linear side of the classical variant. On the other hand, the root property of 
the polynomial in [a;] in Equation [25] can not be directly measured with our definition of alpha. 
Still, the number of polynomials / among which are selected to have a good root property is small, 
so we can not expect a large deviation; e.g. there are 2^ values of / such that deg^. f — 6- 

5.4 Records on pairing-friendly curves 

The fields ¥^6n are of particular interest in cryptography as one can break the cryptosystems which 
use pairing-friendly curves over F^n by solving the discrete logarithm problem in F36,i . The recently 
proposed algorithm of Joux |Joul3| proved to be very fast for the fields of composite degree. It 
rendered FFS obsolete in this case and drastically reduced the security of these curves. This section 
is also interesting for illustrating the behaviour separable polynomials. 

These fields allow us to run the FFS with a base field ¥^d with ci = 2, 3 or 6. Hence we collect 
coprime pairs (a, b) of polynomials in W^d [t] such that both F{a, b) and G{a, b) factor into small 
degree polynomials of ¥^d [t] . The Galois variant |JL06| consists in choosing the polynomials / and 
g to have their coefficients in F^lt] rather than F3d[t]. Its main advantage is that, due to Galois 
properties, the fac tor base is reduced by a factor of d. 

Hayashi et al. [HSW"*" lO] used the base field F36 and the polynomial /; = a;^ + 1 to break curves 
over F371 . Two years later, Hayashi et al. |HSST12] used the base field F33 and again fi — + 1 
to break cryptosystems over F397 . 

Since the polynomial fi is inseparable, as explained in 14.21 one quarter of the relations collected 
by the FFS are free. This roughly translates into a 4/3-fold speedup with respect to the separable 
polynomials having the same sieve efficiency. Note that fi has the best epsilon among the 486 
inseparable polynomials / in F3[t][a;] with deg^ / < 1 and deg^ / = 6. 

A better choice can be only a separable polynomial with a better efficiency. Since the efficiency 
of a polynomial depends on the base field of the factor base, we distinguish the case of F3 from the 
case of F3d with d = 2, 3 or 6. 

Experiment 3. Since deg((/i) = 1 we can use any of the 8 • 3^^ polynomials / in F3[t][a;] such that 
deg( / < 1, without changing the size property. The best alpha with respect to F3 corresponded to 
= tx^ - te-* + {-t + l)x^ + {t- l)x + t. 

Since alpha has a small variance on the polynomials tested in Experiment [3] we also consider 
the separable polynomial fs' = x^ — x'^ + {t^ + — t'^ + P + 1), which is well suited when the 
skewness parameter is set to 1. Table [6] compares fs and fs' to fi for some randomly chosen linear 
polynomials. 

In the case when the base field is F36 and F33 the evaluation of alpha is slower, with a factor of 
200 compared to the case of F36. Note first that the polynomial fs, whose root property over F3 is 
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/ 


a(/,F3) 


a(/,F32) 


a(/,F33) 


a(/,F36) 




2.11 


0.35 


0.53 


0.03 


fs 


0.46 


0.16 


0.21 


0.08 



Table 7: The values of alpha with respect to different base field. The notation «(/, F^) denotes 
log(g)/ log(2) • a{f) with alpha corresponding to the field F,. 

better than that of fi , has a poorer value of alpha when the base field is F36 . In Table [7] we use 
X a as an alternative of alpha which allows us to compare polynomials / with coefficients in 
different rings F^ [t] . The values of alpha are approximated by considering only the contribution of 
at most 1000 irreducible polynomials in ¥^d with d = 1, 2, 3 or 6. Note that the values of x a 
are close to each other when q — 3^. This opens the question of how does the distribution of alpha 
evolve when we compute it with respect to a factor base in F36 [t] but for which the polynomials / 
are in F3 [t] [x] . 

6 Conclusions and open questions 

Improving on Joux and Lercier's method of polynomial selection |JL02| . we noted that a unique 
polynomial / can be used to solve the discrete logarithm problem on a range of inputs. Since the 
selection of / can be seen as a precomputation, we developed a series of functions which compare 
arbitrary polynomials and which are much faster than directly testing the sieve efficiency. In 
particular we obtained a sieving procedure for computing alpha, the function which measures the 
root property and we defined a function for measuring the cancellation property. 

The case of inseparable polynomials was of particular interest as it has no equivalent notion in 
the NFS world. We showed that inseparable polynomials have the advantage of a large number of 
free relations, but most of the inseparable polynomials have a bad root property. The last section 
applied the new functions to some records in the literature. 

The paper also opened some questions. First, thanks to the polynomial selection proposed in 
|JL03j this discussion could be adapted to the prime field computations by NFS. Secondly, the proof 
of the convergence of alpha seems to indicate that the distribution of alpha is influenced by the 
genus of the function fields. Finally, in the case of the Galois variant, it is interesting to know how 
does the variance of alpha evolve when restricted to Galois polynomials. If the variance is small 
enough, the sensible choice for the Galois variant seems to be the inseparable polynomials. 
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A Appendix 

Lemma A.l. Under the notations of Provosition [27R Equation\^ holds. 

Proof. First, the equality below holds as we can change the summation order of an absolutely 
convergent series. 

Y^F (ve{F{a,b)) > k) ^ ^ P ^(0 : 6) = r mod ^'^Y 

k=l ^ ^ {r,k)£S{f,e) ^ ^ 

Secondly, since for ah k, F{vi{F{a,b)) = k) = \ F{a,b)) - P(^'=+i | F{a,b)) and fcP(^'= | 

F{a, b)) — >■ 0, we have 

Y,kP(vi{F{a,b)) = k\ =^pLf(F(a,&)) > k 

k=l ^ ^ k=l ^ 

Finally, let us prove that ahom(/) exists and equals J^'kLi {yt{F{a, b)) = fc). For each TV and k 
put 

^{min(t>^(F(a, b)), k) \ gcd(a, b)^Q mod f , deg a, deg b < N} 
#{(a,6) I gcd(a,6) ^Omod^,dega,deg&< TV} 

Call ahom(/; the expression above when T[vm{vi{F{a, b)), k) is replaced with vi{F{a, b)). On the 
one hand, for any fcp € N, we have aiiom(/; N, fep) < ahom(/; so 

VfcP(v,(F(a,6)) = fc)<lim inf ahom(/;TV). 

^ — ^ N^oc 
fe=l 

On the other hand, let ki be large enough such that all the afhne and projective roots modulo 
i''^ are simple and put N = fcideg£. Since N = kideg£, the proportion of pairs {a,b) of degree 
at most N such that {a : b) = r mod for some root (r, fc) equals the probability ¥{{a : b) = r 

modi''). Hence ahomif',N,N/deg£) = J2k=i^^i^^i-^('^^^)) ~ Now, since the roots modulo 
i''^ are simple there are at most deg / of them. Also, for a and b of degree bounded by N, the norm 
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F(a, b) has degree bounded by A^deg / -h |/|, with |/| the maximal degree of the coefficients of /. 
Hence 

|ahom(/;iV)-ahom(/;iV,iV/deg^)| < deg/y^/ + |/|) _ 
This further implies 

Hm sup ahon,{f;N) < ^ kF{vi{F{a,b)) = k). 
We conclude that ahom(/; ^) converges to J^ken ^^("^ii^i^^ ^)) ~ '-' 
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